From 8caf4972568ccdb2aa68826b8ea10121b23fb1ee Mon Sep 17 00:00:00 2001 From: Jan Schulz-Hofen Date: Wed, 2 Dec 2015 18:33:12 +0800 Subject: [PATCH 3/7] Send a security notification when a user's password is changed --- app/controllers/account_controller.rb | 6 ++++++ app/controllers/my_controller.rb | 6 ++++++ test/functional/account_controller_test.rb | 5 +++++ test/functional/my_controller_test.rb | 13 +++++++++++++ 4 files changed, 30 insertions(+) diff --git a/app/controllers/account_controller.rb b/app/controllers/account_controller.rb index 3c31895..6c2d5b0 100644 --- a/app/controllers/account_controller.rb +++ b/app/controllers/account_controller.rb @@ -73,6 +73,12 @@ class AccountController < ApplicationController @user.password, @user.password_confirmation = params[:new_password], params[:new_password_confirmation] if @user.save @token.destroy + Mailer.security_notification(@user, + message: :mail_body_security_notification_change, + field: :field_password, + title: :button_change_password, + url: {controller: 'my', action: 'password'} + ).deliver flash[:notice] = l(:notice_account_password_updated) redirect_to signin_path return diff --git a/app/controllers/my_controller.rb b/app/controllers/my_controller.rb index 9fdc143..38f0157 100644 --- a/app/controllers/my_controller.rb +++ b/app/controllers/my_controller.rb @@ -105,6 +105,12 @@ class MyController < ApplicationController if @user.save # The session token was destroyed by the password change, generate a new one session[:tk] = @user.generate_session_token + Mailer.security_notification(@user, + message: :mail_body_security_notification_change, + field: :field_password, + title: :button_change_password, + url: {controller: 'my', action: 'password'} + ).deliver flash[:notice] = l(:notice_account_password_updated) redirect_to my_account_path end diff --git a/test/functional/account_controller_test.rb b/test/functional/account_controller_test.rb index 8dfda0f..6b1a405 100644 --- a/test/functional/account_controller_test.rb +++ b/test/functional/account_controller_test.rb @@ -372,6 +372,7 @@ class AccountControllerTest < ActionController::TestCase end def test_post_lost_password_with_token_should_change_the_user_password + ActionMailer::Base.deliveries.clear user = User.find(2) token = Token.create!(:action => 'recovery', :user => user) @@ -380,6 +381,10 @@ class AccountControllerTest < ActionController::TestCase user.reload assert user.check_password?('newpass123') assert_nil Token.find_by_id(token.id), "Token was not deleted" + assert_not_nil (mail = ActionMailer::Base.deliveries.last) + assert_select_email do + assert_select 'a[href^=?]', 'http://localhost:3000/my/password', :text => 'Change password' + end end def test_post_lost_password_with_token_for_non_active_user_should_fail diff --git a/test/functional/my_controller_test.rb b/test/functional/my_controller_test.rb index 92ee247..f048b62 100644 --- a/test/functional/my_controller_test.rb +++ b/test/functional/my_controller_test.rb @@ -193,6 +193,19 @@ class MyControllerTest < ActionController::TestCase assert_redirected_to '/my/account' end + def test_change_password_should_send_security_notification + ActionMailer::Base.deliveries.clear + post :password, :password => 'jsmith', + :new_password => 'secret123', + :new_password_confirmation => 'secret123' + + assert_not_nil (mail = ActionMailer::Base.deliveries.last) + assert_mail_body_no_match 'secret123', mail # just to be sure: pw should never be sent! + assert_select_email do + assert_select 'a[href^=?]', 'http://localhost:3000/my/password', :text => 'Change password' + end + end + def test_page_layout get :page_layout assert_response :success -- 2.4.0